Google Bans Dozens of Apps Containing Illicit Data-Harvesting Software Everything from the weather to prayer apps were found to contain hidden code that could harvest a user's location, email address, phone number and more.
Dozens of consumer-facing apps were pulled from the Google Play Store after researchers found they contained hidden code intended to stealthly collect personal user data — including email address, phone number, precise location and more.
Measurement Systems, the company behind the operation, allegedly paid developers to embed the code into their software development kits — or SDKs — The Wall Street Journal reported. In exchange for adding the illicit code to their software, the developers would be compensated monetarily and receive access to collected user data. The Panama-based company has also been linked to contractors involved in cyberintelligence operations for U.S. security agencies.
The data-harvesting code was discovered by researchers Serge Egelman of UC Berkley and Joel Reardon of University of Calgary, who elaborate on the disturbing findings in an App Census Blog post. Reardon breaks down how the code works, what data is collected and who exactly receives it — all of which reveal the magnitude of user privacy violated on dozens of consumer-facing apps. Along with personal information like one's email and phone number, Reardon highlights what's "particularly frightening" is the code's ability to gather a user's precise GPS location, stating that "such a database could be used to run a service to look up a person's location history just by knowing their phone number or email, and could be used to target journalists, dissidents, or political rivals," Reardon writes on the blog post.
Measurement Systems has denied all claims and, in a statement to the WSJ via email, they call the allegations "false" and refute any connection to U.S. national security agencies.
Some apps that contained the code are Speed Camera Radar, WiFi Mouse, QR & Barcode Scanner and Qibla Compass - Ramadan 2022, among dozens of others. While Google has pulled the apps reported to have the code, a spokesperson told the WSJ that they are allowed to apply for reinstallment once the forbidden code is removed.